(19) 



Europaisches Paientaml 
European Patent Office 
Office europeen des brevets 




(12) 



(43) Dale o1 publication: 

30.12.1998 Bulletin 1998/53 

(21) Application number: 98304869.5 

(22) Date of filing: 19.06.1998 



ill 

(11) EP 0 887 981 A2 

EUROPEAN PATENT APPLICATION 

(51) intciA H04L 29/06 



(84) 


Designated Contracling States: 

AT BE CH CY DE DK ES Fl PR GB GR IE IT LI LU 


(72) 


Inventor: Gong, Li 

Menlo Park, California 94025 (US) 




MC NL PT SE 

Designaled Extension States: 
AL LT LV m RO SI 


(74) 


Representative: Read, Matthew Charles et al 
Venner Shipley & Co. 
20 LKtte Britain 


(30) 


Priority: 26.06.1997 US 883636 




London EC1A7DH (GB) 


(71) 


Applicant: SUN MIC ROSY STEIWIS, INC. 
Mountain View, California 94043-1100 (US) 







(54) Layer-independent security lor communicalion channels 



(57) A method and apparatus lor providing layer-in- 
dependent secure network comnnunication is provided. 
According to an ennbodinnent of the invention, a trans- 
mission medium is provided between a first network 
node and a second network node. Both the first network 
node and the second network node support at least one 
common communication protocol. A Java output stream 
is established between a first process executing on the 



first network node and the transmission medium. Also, 
a Java input stream is established between a second 
process executing on the second multilayered node and 
the transmission medium. Data to be transmitted from 
the first process to the second process is encrypted by 
the first process and written to the Java output stream. 
The data is transmitted to the second network node. 
Then the data is read from the Java input stream by the 
second process and decrypted. 
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Description 

FIELD OF THE INVENTION 

The invention relates to data security, and more 
specitically, toe method and apparatus for providing lay- 
er-independent security in network communications. 

BACKGROUND OF THE INVENTION 



Some communication networks, panicularly complex 
ones support multiple communication protocols or 'lay- 
ers." Each layer specifies some functionality or ' sen/ice" 
of the network and interacts with the layers immediately 
above and below, using services of the layer immediately 
below, while providing semces to the layer immediately 
above. The lowest layer in a communication network typ- 
ically governs direct communication between the hard- 
ware at ditlereni network nodes, while the highest layer 
handles direct communicanon with application programs 
executing on the network nodes. 

The layered approach to impiemeniing communica- 
lion networks simplifies the creation and modification of 
complex communication architectures by providing for 
incremental changes on a laycr-by-laycr basis which 
are transparent to other layers in the architecture. Two 
examples of layered communication protocols are the 
Transmission Control Protocol/Internet Protocol (TCP/ 
IP), which has five layers, and the International Stand- 
ards Organi7ation*s (ISO) Open Systems Interconnec- 
tion (OSI) Reference Model (RM). which has seven lay- 
ers. 

The proliferation ot communication networks and 
increased frequency of security breaches has under- 
scored the importance of providing secure network com- 
munications. Many communication networks depend 
upon a secure communication connection or ' channel" 
to maintain security. In the context of secure communi- 
cation networks, a secure communication channel is a 
connection which provides lor the encryption, authenti- 
cation or otherwise secure transmission ot data be- 
tween network nodes. 

Sometimes, setup negotiation is used to establish 
security lor a communication channel. In the context ot 
network communications, setup negotiation relers to 
specilytng and agreeing to the details about security tor 
a communication channel, such as the details ol a pai- 
liculai enciyplion scheme to be used. Once setup ne- 
gotiation is complete, all communication during the ses- 
sion conlorms to the agreed upon security protocol, 
which provides secure communication 

Setup negotiation is an effective tool (or providing 
secure communication during a communication ses- 
sion. However, when the amount ol information included 
in each session is small, lor example when a session 
contains only a single message, then the overhead at- 
tributable to setup negotiation can adversely affect com- 
munication performance Moreover, some communica- 



tion architectures do not include a session layer which 
requires that a session layer be added to support ses- 
sion type security, further degrading performance 

Another approach for providing a secure communi- 
5 cation channel involves encrypting or encocinc data at 
a specific layer on a transmitting network node and then 
decrypting or decoding the data at a corresponding layer 
on a destination network node. Encrypting data at a spe- 
cific layer typically involves applying an encryption algo- 
70 rithm based upon the format of data at a particular layer 
Header data added by higher layers is also encrypted. 
Layer-specific encryption is particularly uselul in data- 
gram-based or packet-based networks which are typi- 
cally sessionless and encapsulate data in datagram 
75 packets or some other type ot data packet. For example, 
header data may be added to a data packet so that the 
data packet conforms to a particular tormaL This ap- 
proach also provides for multiple encryptions to be per- 
formed at different layers. 
20 Although layer-specilic encryption can provide a se- 
cure communication channel while avoiding the ovei- 
head penalty associated with setup negotiation, it does 
have several limitations. First, all encryption and decryp- 
tion must occur at the same corresponding layer on both 
2B the transmitting and receiving network nodes, according 
to the specific protocol supported by that layer. For ex- 
ample, Simple Key Management for Internet Protocols 
(SKIP) is designed to be used with internet protocol 
packets at the network layer, which requires internet lay- 
so er specific function calls On the other hand. Netscape 
Communications Corporation's Secure Sockets Layer 
(SSL) is designed to be used at the (Unix) socket layer 
and requires socket layer-specific function calls to en- 
crypt and decrypt data. The result is that one application 
35 implementing security according to SKI P cannot interact 
with another application implementing security accord- 
ing to SSL. 

In addition, layer-specific encryption can be difficult 
to employ in object-onented environments because ol 
40 the inherent level of abstraction required. For example, 
some layers operate on data bytes, which often is a 
much lower level than objects in an object oriented en- 
vironment. 

In view ol both the need to provide secure commu- 
-ts nication channels and the limitations in the prior ap- 
proaches, an approach for providing a secure commu- 
nication channel which does not rely upon layer-specific 
enciyplion and which does not require setup negotiation 
is highly desirable. 

so 

SUMMARY OF THE INVENTION 



According to one aspect of the invention, a method 
provides communication protocol -independent security 
£5 lor oata transmitted between a first process, executing 
on a first network node, and a second process, execut- 
ing on a second network node Both the first network 
node and the second network node each support at 
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leasl one common communicalion prolocol. According 
to the method. « communic^ition channel is established 
between the first network node and the second network 
node. Then, a iirst stream is established between the 
first process and the communication channel. 

In the context of the invention, a ' stream" is an ab- 
straction which refers to the transfer or * flow" of dais, 
in any format, from a single source, to a single destina- 
tion. A stream typically flows through a channel or con- 
nection between the sender and receiver in contrast to 
data packets, which are typically individually addressed 
and which may be routed independently to multiple re- 
cipients. Hence, an application can write data to, or read 
data from, a stream without knowing the actual destina- 
tion or source, respectively, of the date. 

After the first stream is established between the first 
process and the communication channel, a second 
stream is established between the second process and 
the communication channel. Data to be transmitted be- 
iween the hrsi and second processes is encrypted. The 
encryption of the data is independent of the communi- 
cation protocol supported by the first network node. The 
encrypted data is then written to the first stream which 
causes the encrypted dale to be transmitted from the 
first network node lo the second network node. The en- 
crypted data is read from the second stream and then 
decrypted to obtain decrypted data which is identical to 
' the-dala on the first network node before the data was 
encrypted 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is illustrated by way o1 example, and 
not by way of limitation, in the figures of the accompa- 
nying drawings and in which like reference numerals re- 
fer to similar elements and tn which: 

Figure 1 is a block diagram of a multi-layered com- 
munication network according to an embodiment ol 
the invention 

Figure 2 is a block diagram of a multi-layered com- 
munication network according to another embodi- 
ment ol the invention: 

Figure 3 illustrates a stream tormat according to an 
embodiment ol the invention: 
Figure 4 is a flow chart illustrating a method lor pro- 
viding layer-independent secure communicalion in 
d muHi-layeied communicalion nelwork accoiding 
to an embodiiTient of tne invention 
Figure 5 is a block diagram of a Java secure chan- 
nel arrangement according to an embodiment ot the 
invention: and 

Figure 6 is a block diagram ol a computer system 
on which the invention may be implemented. 



DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

A method and apparatus for providing layer-inde* 
£ pendent secure communications in a muln-layered com- 
munication network is described. In the following de- 
scription, for the purposes of explanation, numerous 
specific details are set forth in order to provide a thor- 
ough understanding of the invention. However, the in- 
10 venlion may be practiced without these specific details. 
In other instances, well-known structures and devices 
are illustrated in block diagram form in order to avoid 
unnecessarily obscuring the invention. 

75 FUNCTIONAL OVERVIEW 

The invention provides a method and apparatus lor 
providing layer-independent secure communications m 
a multi-layered communication network. In general a 
20 communication channel or connection is Iirst estab- 
lished between a first mullt-layeied network node and a 
second multi-layered network node. Then, a first stream 
is established between a first process, executing on the 
first multi-layered network node, and the communicalion 
25 channel. A second stream is then established between 
a second process, executing on the second multi-lay- 
ered network node and the communication channel. 
Then, the first process performs a layer-independent 
encryption of data lo be transmitted between the first 
30 and second multi-layered nelwork nodes and then 
writes the encrypted data lo the first stream, which caus- 
es the encrypted data lo be transmitted lo the second 
multi-layered network node. Then, the encrypted data 
is read by the second process from the second stream 
35 and decrypted so that the decrypted data is identical to 
the data on the first rhulti-layered network node prior to 
being encrypted 

Figure 1 illustrates a multi-layered communication 
network 100 to which the invention is applicable. In gen- 
•to eral multi-layered communication nelwork 1 00 includes 
multi-layered nodes 102, 104, communicatively coupled 
by transmission medium 106. Although mulli-layered 
communication network 100 may resemble the Interna- 
tional Standards Organization (ISO) Open Systems In- 
•is terconnection (OSI) Reference Model (RM), the inven- 
tion is applicable to any multi-layered communicalion 
nelwork. 

A process 106 executes on mulli-layered node 102 
while a process 110 executes on mulli-layered node 

50 104. Multi-layered node 102 supports a mulli-layered 
communication hierarchy 112. where each identified 
layer supports a particular communication prolocol. 
Each layer in hierarchy 1 1 2 offers certain services lo Ihc 
higher layers while shielding the higher layers from the 

55 details of how those services are actually implemented. 
Multi-layered node 104 also supports a mulli-layered 
communication hierarchy 114. which includes layer cor- 
responding to the layers in hierarchy 112 All data Irans- 
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milted Irom process 108 to transmission nnedium 106 
conlorms to all communication protocols supported by 

hierarchy 112. 

For example, to transmit data 116 Irom process 108 
to transmission medium 106. data 116 must first con- 
torm to an application protocol specified by application 
layer 1l8 on multi-layered node 102. According to one 
embodiment ol the invention, this requires that data 116 
be tormatted according to application layer 118 protocol 
and that an application protocol header AH be append- 
ed to the front end of data 11 5 which specifies the format 

of data 116, . ^. 

This process is repeated for each layer in hierarchy 
112 According to one embodiment of the invention, the 
formatting of data 116 according to a data link layer l20 
involves the addition of both a header portion DH and a 
uailer portion DT to a data portion 122. U should be not- 
ed that data link layer 120 is not aware of which portion 
of data portion 122 corresponds to data 116 and which 
portion represents formatting inlormalion of higher lay- 
ers Data link layer 120 formats the entire data portion 
122 without regard to which portion may be Veal" data 
116 and which portion is formatting information added 
by higher layers in hierarchy 112. 

When messages arc received by multi-layered 
node 104 from transmission medium 106. a reverse 
process occurs. Since messages must conform to ap- 
plication layer protocol before being processed by proc- 
ess 110. any formatting information attributable to layers 
below application layer 1 28"must be removed 

As previously discussed, one approach for provid- 
ing secure communication between process 108 and 
process HO is to have processes 108. llO pertorm set- 
up negotiation prior to transmitting data. However, this 
approach can adversely affect data throughput, partic- 
ularly when the setup negotiation is periormed on a 
packet-by-packet basis. 

Another previously discussed approach is lo en- 
crypt the data at one of the layers in hierarchy 112 on 
multi-layered node 102 before transmitting the data on 
transmission medium lOe.Then.alterthe encrypted da- 
ta is received on node i04, the data is decrypted at the 
corresponding layer in hierarchy 114 on multi-layered 
node 104 betore the data is received by process 110. 
For example, data may be encrypted at the network lay- 
er 124 on multi-layered node 102 and then decrypted at 
network layer 1 26 on multi-layered node 104 on a pack- 
ei-by-packel basis. Although this approach is robust 
irom a security standpoint, the data must be decrypted 
at the same layer at which the data was encrypted 

LAYER-INDEPENDENT SECURITY 



An approach which provides layer-independent se- 
cure network communication in a multi-layered commu- 
nication network according to an embodiment of the in- 
vention IS illustrated by the block diagram of Figure 2 A 
multi-layered communication network 200 includes mul- 



li-layered nodes 202. 204 which are communicatively 
coupled by a transmission medium 206 A process 208 
executes on mulli-layerednode 202 while a process 210 
executes on multi-layered node 204 
5 Multi-layered nodes 202. 204 each supoort one or 
more communication layers (protocols) including socket 
layers 212, 214, respectively Socket layers 212. 214 
provide an intertace between processes 208. 2l0. re- 
spectively and transmission medium 206. Multi-layered 
10 nodes 202. 204 may support addition layers (not illus- 
irated) both above and below socket layers 212. 214. 
Accordingly socket layers 212. 214 each include sock- 
ets (not illustrated), which are end points similar to an 
OSI Transport Sen/ice Access Point (TSAP), and which 
IS provide a connection between layers above and below 
socket layers 212, 214. In addition, a Java secure chan- 
nel 216 IS provided between node 202 and node 204. 
Java security channel 216 provides lor the layer-inde- 
pendent encryption ol high level data constructs such 

20 as objects. 

Geneially. according to an embodiment ot the in- 
vention, layer-independent security lor communications 
between process 208 and process 210 is provided by 
process 208 encrypting data which is then written to a 
2S. Java output stream 218. A Java stream is a stream 
which provides lor the transfer of low level data con- 
structs, such as bytes as well as high level data con- 
structs, such as serialized objects, between a source 
and a destination The data is then conformed to a sock- 
30 et layer protocol by socket layer 21 2 and written toirans- 
mission medium 206. The data is then processed ac- 
cording to socket layer protocol by socket layer 214 and 
read from a Java input stream 220 by process 210 and 
finally decrypted by process 210. 
3£ Encryption of stream data according to embodi- 
ments ol the invention is by definition layer -independent 
and provides a level of abstractness which is compatible 
with many abstract processes and languages which 
support streams, such as object oriented languages. 
40 Besides the layer-independent data encryption per- 
formed by process 208, additional (layer-dependent) 
encryption may be provided at any layer in node 202. 
with decryption being performed at the corresponding 
peer layer in node 204. 
45 The data format ot object output stream 218 and 
object input stream 220 is illustrated in Figure 3. Gen- 
erally, stream formal 300 is an abstract message formal 
which is sell-contained and layer-independent. Stream 
format 300 includes 1 to N variable length messages 
so (Ml M2 . Mn). Each message (Ml. M2... Mn) includes 
a header portion (Hi, H2...Hn) and a data portion 
(DATA1. DATA2...DATAn). According to one embodi- 
ment ol the invention, each header portion (HI. H2... 
Hn) specifies the length of the associated data portion 
55 (Dl . 02.. . Dn) and also includes encryption key/authen- 
lication information which eliminates the need for setup 
negotiation However, certain encryption key/authenii- 
calion .nlormation is established once during system 
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setup so that recipients of the messages (Ml . M2...Mn) 
can decrypt data contained in the data portion (D1 . D2 . . 
Dn) ol each message (Ml. M2...Mn). 

The flexibility ot stream formal 300 of the invention 
provides for the implementation ot various encryption/ 
authentication approaches and is not limited to the par- 
ticular encryption/authentication approach described 
herein. In addition, since stream format 300 is layer in- 
dependent, various data formats may be employed with- 
out departing from the scope of the invention. 

The specific steps for providing layer-independent 
secunty of network communication according to an em- 
bodiment of the invention are now described with refer- 
ence to both the block diagram of Figure 2 and the flow 
chart of Figure 4. Generally, the steps are described in 
the context of an object oriented programming method 
associated with an object, contained in process 206, 
which invokes a method associated with a remotely lo- 
cated object contained in process 210. In the non-object 
orienled context, this is very similar lo process 208 is- 
suing a i emote procedure call (RPC) to invoke a process 
remotely located on multi-layered node 204. For purpos- 
es of explanation, the data transmitted by the method 
associated with the object contained in process 206 
which invokes the method associated with the remotely 
located object contained in process 2l0 is hereinafter 
referred lo as the • object data." 

After starting in step 400, in step 402, multi-layered 
nodes 202. 204 establish an encryption/authentication 
approach during system setup. Unlike traditional setup 
negotiation which must be continuously re-negotiated, 
such as on a per session basis, the agreed upon en- 
cryption/authentication approach established between 
multi-layered nodes 202, 204 only needs to be set up 
once during system setup, or when either multi-layered 
node 202. 204 is connected to another node and the 
security techniques described herein are to be em- 
ployed with that other node. 

In step 404. a Java secure channel 216 is estab- 
lished between node 202 and node 204. According to 
one embodiment of the invention. Java secure channel 
216 is an object class which is defined and invoked by 
process 208. 

In step 406, object output stream 218 is established 
between process 208 and socket layer 21 2. and in step 
406. object input stream 220 is established between 
socket layer 2i 4 and process 2 1 0. According to one em- 
bodiment of the invention, object output stream 216 is 
an object class defined by process 208 while object in- 
put stream 220 is an object class defined by process 
210. 

In step 410. the object data to be transmitted from 
process 208 lo process 210 is serialized, sometimes re- 
ferred to as * flattening the object," and then encrypted 
in step 412 based upon the encryption/authentication 
approach established in step 402. 

In step 414, the object data (serialized and encrypt- 
ed) is written to object output stream 216, which is re- 
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cetved by socket layer 212 and lormatted according to 
socket layer protocol. In step 41 6. the object data is 
transmitted from socket layer 212 ot muhilayered node 
202 lo socket layer 214 ot multi-layered node 204 over 
5 transmission medium 206. 

As previously discussed, multi-layered node 202 is 
illustrated as having a single layer, socket layer 212. 
while multi-layered node 204 is illustrated as having a 
single layer, socket layer 214, for purposes of explana- 
10 tion. However, multi-layered nodes 202. 204 may be 
multi-layered and contain other layers above and below 
socket layers 21 2.214. Consequently, although accord- 
ing lo an embodiment of the invention, the object data 
is transmitted onto transmission medium 206 in the for- 
is mat illustrated in Figure 3. it is understood that additional 
lormatting of the object data may be performed accord- 
ing to various other communcation protocols contained 
in multi-layered nodes 202, 204. For example, if multi- 
layered node 202 also supports Internet protocol (IP). 
20 ihen each message (Ml, M2...Mn) illuslraled in Figure 
3 would also contain IP header infoiination. 

After the object data is received by socket layer 21 4, 
the object data is read from object input stream 220 by 
process 210 in step 418. In step 420. the object data is 
2£ decrypted according to the encryption/authentication 
approach established in step 402. Then, in step 422. the 
object data is de-serialized and the method associated 
with the object remotely located in process 210 is exe- 
cuted. Finally, the process is complete in step 424 
30 Although embodiments of the inveniion have been 
described in the context of encrypting and decrypting 
object data by processes 208. 210. which are etlectively 
above all of the layers supported by multi-layered nodes 
202, 204, respectively, data may be encrypted and de- 
35 crypt ed at any layer supported by multi-layered nodes 
202, 204, since the encryption of data is performed be- 
fore the data is written to a stream and is therefore layer- 
independent. 

For example, referring again to Figure 1. according 
•io to another embodiment of the invention, process 108 
encrypts data 116 and then writes data 116 lo a stream 
mot illustrated) which is lormatted according lo the pro- 
tocol hierarchy 112 and transmitted to multi-layered 
node 104 on transmission medium 106. Since data 116 
•^6 was encrypted al the stream level, data 1 1 6 may be de- 
crypted at any layer in hierarchy 114. so long as data 
116 can be extracted Irom the data stream. Typically, 
the si^e and position ol data 116 within a data chunk is 
known which allows data 1l6tobeextiacledliomadata 
so chunk even though the data chunk contains protocol 
specific information from higher layers. However, if data 
1 1 6 IS encrypted at any other layer in hierarchy 11 2, then 
data 116 must firsl be decrypted at a corresponding lay- 
er in hierarchy 114. 
55 According to another embodimeni of the inveniion, 
a stream is connected to several other protocol-specific 
streams to support the broadcasting or multi-casting ot 
encrypted inlormation. Figure 5 illustrates an arrange- 
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menl 500 which includes a stream 502 acco.d.ng to an 
Tmbodiment o. the indention, connected connec or. 
504 to intelligent converters 506. which convert sueam 
502 into protocol-specitic strearns 508 such as f^e l/C 
oh?e , I/O and socket I/O streams. Converters 506 have 
mi capability to extract the data portK>n trom stream 502 
10 support streams 508 at any protocol layer. 

Mcordingio arrangement 500, any number o1 pro- 
tocol-specific streams 508 may be connected to stream 
602 in addition, the headers of messages ,n stream 502 
may contain destination-specific encryption/authenlica- 
information. For example, stream 502 may contam 
an encryption/authentication value A, while a recp.ent 
done of the protocol-specific streams 508 holds a key 
Tue X making the decryption o. stream 502 a .unct.on 
of A and X ,key=t(A,X)). Likew.se, s.mila. keys may be 
developed tor the other protocol-specific streams 508. 

HARDWARE OVERVIEW 



Fiqure 6 is a block diagram which illustrates a com- 
Dute. system 600 upon which an embodiment of the in- 
; ntlon may be implemented. Computer system 600 
dudes a bus 602 or other communication mechanisrn 
,or communicating information, and a processor 604 
coupled with bus 602 for processing information. Corn- 
outer system 600 also includes a main memory 606, 
such as a random access memory (RAM) or other dy- 
namic storage device, coupled to bus 602 lor storing in- 
"rmation and instructions to be executed by processor 
Main memory 606 also may be used for storing 
temporary variables or other Intermediate .nfomnauon 
during execution of instructions by processor 604. Com- 
pu er system 600 also includes a read only memory 
(ROM) 608 or other static storage device coupled to bus 
602 tor storing static information, and instructions for 
processor 604. A storage device 610. such as a mag-^ 
nelic disk or optical disk, is also provide and coupled to 
bus 602 for storing information and instructions 

computer system 600 may also be coupled via bus 
602 to a display 612. such as a cathode ray tube (CRT)^ 
tor displaying information to a computer user. An inpu 
device 614. including alphanumeric and other keys, s 
also provided and coupled to bus 502 for communcat- 
,nq inlormation and command selections to processor 
604 Another type of user input device is cursor control 
616 such as a mouse, a trackball, or cursor direction 
kevs loi communicating direction inloimalion dnd com- 
mand selections to p.ocessor 604 and for controlling 
cursor movement on display 612. This input device typ- 
ically has two degrees of freedom in two axes, a first 
axis (e.g.. X) and a second axis (e.g.. y), which allows 
the device to specify positions in a plane. 

The invention is related to the use ol computer sys- 
tem 600 to provide layer-independent secure network 
communication. According to one embodiment ol the in- 
vention. layer-independent secure network communica- 
tion is provided by computer system 600 in response to 



processor604 executing sequencesofinstructionscon- 
iained in main memory 606. Such instructions may be 
read into main memory 506 ^''^'^ ^'^^^^1^'°^^ 
readable medium, such as storage device 6i0>lowev 
s er the computer-readable medium is not limited to de- 
vices such as storage device 510. For example, he 
computer-readable medium may include a floppy d sk^ 
a flexible disk, hard disk, magnetic tape, or any other 
ntagnetic medium, a CD-ROM, any °<^f ' OP^'^.^' ^^Jl" 
,0 urn a RAM. a PROM, and EPROM, a FLASH-EPROM. 
any other memory chip o, cartridge, or any o her med. 
um from which a computer can read. Execul.on of the 
seouences of instructions contained in mam memory 
606 causes processor 504 to perform the process steps 
,5 previoustydescnbed. alternative ernbodiments.h^^^^^^ 
wired circuitry may be used in place of or ^t combination 
with sonware instructions to implement the invention^ 
Thus, embodiments of the invention are not limited o 
any specific combinaiion of hardware circuitry and sett- 

computer 600 also includes a communication intei- 
lace 618 coupled to bus 602. Communication interface 
608 provides a tw^way data communication coupling 
to a network link 620 to a local network 622. For exam^ 
25 pic if communication interlace 618 is an integrated 
services digital network (ISDN) card or a modem, com- 
munication interface 618 provides a data commun^a^ 
tion connection to the corresponding type of elephone 
line If communication interface 618 is a local area net- 
30 work (LAN) card, communication interlace 618 provides 
a data communication connection to a compatible LAI^. 
Wireless links are also possible. In any such implemen- 
tation, communication interlace 618 sends and recedes 
electrical, electromagnetic or optical signals M carry 
3S digital data streams representing various types of mlor- 

"^^ Network link 620 typically provides data communi- 
cation through one or more networks to other data de- 
vices For example, network Iink620 may provide acon- 
wo nection through local network 622 to a host computer 
624 or to data equipment operated by an Internet Sery 
ice Provide. (ISP) 626. ISP 626 in turn provides data 
communication seiv.ces through the world wide packet 
data communication networknow commonly reterred to 

.5 as the "internef 628. Local network 622 and Internet 
628 both use electrical, electromagnetic or optical sig- 
nals Which carry digital data streams. The signals 
thiough the va. lous neiwoi ks and the signals on network 
l,nk 620 and through communication interface 618^ 
so Which carry the digital data to and from computer 600 
are exemplary forms of came, waves transporting the 

computer 600 can send messages and receive da- 
ta, including p.ogram code, through "^'^ 
ss work link 620 and communication interiace 618. In the 
lnte.ne.example,asen,er630m,ghttransni.ta,eques^- 

ed code lor an application program through Internet 628 
ISP 626 local network 622 and communication inter- 



6 



BNSOOCIO: «EP_08879B1A2.I > 



11 



EP 0 887 981 A2 



12 



lace 618. In accord with the invention, one such down- 
lo;ided application provides tor the synchroni7ation ol 
threads using selective object locking as described 
herein. 

The received code may be executed by processor 
604 as It is received, and/or stored in storage device 
610, or other non-volatile storage for later execution. In 
this manner computer 600 may obtain application code 
in the lorm ol a carrier wave. 

Although the invention has been described in the 
context ot connection-based communication architec- 
tures, the invention is also applicable to sessionless da- 
tagram or packet based communication architectures. 

The invention provides several advantages over 
prior approaches lor implementing secure network com- 
munications. Most importantly, security is implemented 
using streams which are layer independent. This allows 
an encrypted stream to be decrypted at any layer with- 
out requiring the use ot layer specific calls to perform 
the decryption, which provides greater flexibility than pri- 
or approaches. For example. , an encrypted stream 
transmitted by a sending node may be decrypted by a 
firewall connection at the network (packet) layer having 
knowledge of the encryption approach negotiated dur- 
ing system setup. Moreover, this approach docs not af- 
fect existing encryption being carried out at various lay- 
ers. The approach of the invention avoids the setup ne- 
gotiation which can significantly degrade communica- 
tion performance in certain situations 

In the foregoing specification, the invention has 
been described with reference to specific embodiments 
thereof. It will, however, be evident that various modifi- 
cations and changes may be made thereto without de- 
parting from the broader spirit and scope of the inven- 
tion. The specification and drawings are. accordingly, to 
be regarded in an illustrative rather than a restrictive 
sense. 



Claims 

1 . A method for providing communication protocol-in- 
dependent security lor data transmitted between a 
tirst process, executing on a first network node, and 
a second process, executing on a second network 
node, wherein the first network node and the sec- 
ond network node each support at least one com- 
mon communication protocol the method compris- 
ing the steps ol: 

a) establishing a communication channel be- 
tween the first network node and the second 
network node: 

b) establishing a first stream between the first 
process and the communication channel: 

c) establishing a second stream between the 
second process and the communication chan- 
nel: 
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d) encrypting data to be transmitted between 
the first and second processes the encrypting 
of the data being independent ot tne at least 
one communication protocol supported by the 
first network node: 

e) writing the encrypted data to the first stream: 

f) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node: 

g) reading the encrypted data irom the second 
stream: and 

h) decrypting the enciypted data to obtain de- 
crypted data which is identical to the data on 
the first network node before the data was en- 
crypted. 

2. The methodof Claim i , further including the steps of 

a) pertorming a communication protocol-spe- 
cilic encryption ol the data on the first network 
node, and 

b) pertorming a communication protocol-spe- 
cific decryption ol the data on the second net- 
work node. 
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3. The method of Claim 1 . wherein the communication 
channel is a Java secure channel. 

wherein the first stream is a first Java stream, 
wherein the second stream is a second Java 
stream. 

wherein the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step of es- 
tablishing a Java secure channel between the 
first and second network nodes, 
wherein the step ol establishing a first stream 
between the first process and the communica- 
tion channel further comprises the step ot es- 
40 tablishing a first Java stream between the first 

process and the Java secure channel, 
wherein the step of establishing a second 
stream between the second process and the 
communication channel further comprises the 
•iS step ol establishing a second Java stream be- 

tween the secona process and the Java secure 
channel 

wneiein the step of writing the enciypted dala 
to the first stream further comprises the step of 
so writing the encrypted data to the first Java 

stream, and 

wherein the step of reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the sec- 
££ ond Java stream. 

4. The methodof Claim 1 , wherein the communication 
channel is a Java secure channel, wherein Ihe first 
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7 The corr^puter-readable medium o1 Cla.m 5 where- 
in the tirsl stream is a tirst Java stream. 
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Wherein the second stream is a Java stream, 
wherein the method lurther comprises the step 
01 connecting the Java secure channel to a third 
Java stream, and 

wherein the third Java stream provides lor the 
transmission ol data according to a spec.tic 
communication protocol. 

A computer-readable medium having stored there- 
on a plurality ol sequences ol instructions lor pro- 
viding communication protocol-independent secu- 
rity lor data transmitted between a tirsl process, ex- 
ecuiinq on a lirst network node, and a second proc- 
ess executing on a second network node, wherein 
the iirsi network node and the second network node 
each support at least one common communication 
protocol, the plurality ol sequences ol instructions 
including sequences ol inslruclions which, when 
executed by one or more piocessois. cause the one 
or more processors to periorm the steps ol : 

a) establishing a communication channel be- 
tween the tirst network node and the second 
network node; 

b) establishing a lirst stream between the lirst 
process and the communication channel; 

c) establishing a second stream between the 
second process and the communicaiion chan- 
nel; 

d) encrypting data to be transmitted between 
the lirst and second processes, the encrypting 
ol the data being independent ol the communi- 
cation protocols supported by the lirst network 

node: 

e) writing the encrypted data to the tirst strearr. 
1) causing the encrypted data to be transmitted 
irom the tirst network node to. the. second nei; 
work node; 

g) reading the encrypted data Irom the second 
stream; and . 

h) decrypting the encrypted data to obtain de- 
crypted data which is identical to the data on 
the tirst network node beiore the data was en- 
crypted. 

6 The compuiei-readdble medium ol Claim 5. where- 
■ in the computer-readable medium lurther includes 
instructions lor perlorming the steps ol 

a) perlorming a communication protocol-spe- 
cilic encryption ol the data on the lirst network 
node, and 

b) perlorming a communication proiocol-spe- 
cilic decryption ol the data on the second net- 
work node 
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wherein the second stream is a second Java 
stream, 

wnerein the step ol establishing a communica- 
tion channel between the lirst and secono net- 
work nodes lurther comprises the step ol es- 
tablishing a Java secure channel between the 
first and second network nodes. 
Wherein the step ol establishing a tirst stream 
between the tirst process and the communica- 
tion channel lurther comprises the step ol es- 
tablishing a lirst Java stream between the lirsi 
process and the Java secure channel. 
Wherein the step ol establishing a second 
stream between the second process and the 
communication channel lurther comprises the 
step ol establishing a second Java stream be- 
tween the second process and the Java secure 

channel. . ^ *^ 

Wherein the step ol writing the encrypted data 
to the tirst stream lurther comprises the step ol 
writing the encrypted data to the tirst Java 

stream, and . j ,„ 

wnerein the step ol reading the encrypted data 
irom the second stream turther comprises the 
step 01 reading the encrypted data Irom the sec- 
ond Java stream. 

The computer-readable medium ot Claim 5, where- 
in the communication channel is a Java secure 
channel, 

wherein Ihe lirst stream is a Java stream, 
Wherein the second stream is a Java strearrt. 
Wherein the computer-readable medium lurther 
includes instructions lor connecting the Java 
secure channel to a third Java stream, and 
Wherein the third Java stream-provides-tor tlie 
transmission ol data according to a specilic 
communication protocol. 

A communication network providing communica- 
■ „on protocol-independent secure communication 
between a tirst network node and a second network 
node, wherein the lirst network node and the sec 
ond network node edch support at least one com- 
mon communication protocol, wherein the lirst net- 
work node is communicatively coupled to the sec- 
ond network node by a communication channel, the 
communication network comprising; 

a) a tirst process executing on the first network 
node wnerein the lirst process provides tor the 
communication protocol-independent encryp- 
tion ol data 

b) a lirst stream which provides lor the Iranste. 
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ol encrypted data between the first process and 
the communication channel: 

c) a second process executing on the second 
network node: and 

d) a second stream which provides lor the 
transfer of encrypted data between the commu- 
nication channef and the second process, 
wherein the second process also provides lor 
the decryption of data which has been encrypt- 
ed by the first process. 

10. The communication networkol Claim 9. wherein the 
second process further includes the capability to 
decrypt data based upon any communication pro- 
tocol supported by the second network node. 

1 1 . The communication network ol Claim 9, wherein the 
communication channel is a Java secure channel, 
the first stream is a Java stream and the second 
stream is a Java stream. 

12. The communication network of Claim 11, lurther 
comprising a third Java stream connected to the 
Java secure channel, the third Java stream provid- 
ing lor the transmission ol data according to a spe- 
cific communication protocol. 

13. A computer data signal embodied in a carrier wave 
and representing sequences of instruction which, 
when executed by one or more processors, provide 
communication protocol-independent security lor 
data transmitted between a first process, executing 
on a first network node, and a second process, ex- 
ecuting on a second network node, wherein the Itrst 
network node and the second network node each 
support at least one common communication pro- 
tocol by performing the steps of: 

a) establishing a communication channel be- 
tween the first network node and the second 
network node: 

b) establishing a lirst stream between the tirsi 
process and the communication channel: 

c) establishing a second stream between the 
second process and the communication chan- 
nel: 

d) encrypting data to be transmitted between 
the lirst and second processes, the encrypting 
of the data being independent ol the communi- 
cation protocols supported by the first network 
node: 

e) writing the encrypted data to the first stream. 

f ) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node: 

g) reading the encrypted data from the second 
stream: and 

h) decrypting the encrypted data to obtain de- 
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crypted data which is identical to tne data on 
the first network nooe betore the dMa was en- 
crypted. 

14. The computer data signal of Claim 1 3. wherein the 
computer sequence of instructions lurther includes 
instructions for performing the steps of 

a) performing a communication protocol-spe- 
cific encryption of the data on the first network 
node, and 

b) performing a communication protocol-spe- 
cific decryption of the data on the secona net- 
work node. 

15. The computer data signal of Claim 13, wherein the 
lirst stream is a tirst Java stream. 

wherein the second stream is a second Java 
stream. 

wherein the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step ol es- 
tablishing a Java secure channel between the 
first and second network nodes, 
wnerein the step of establishing a first stream 
between the lirst process and the communica- 
tion channel further comprises the step of es- 
tablishing a first Java stream between the first 
process and the Java secure channel, 
wherein the step of establishing a second 
stream between the second process and the 
communication channel lurther comprises the 
step of establishing a second Java stream be- 
tween the second process and the Java secure 
channel. 

wherein the step of writing the encrypted data 
to the lirst stream further comprises the step of 
writing the encrypted data to the first Java 
stream, and 

wherein the step ot reading the encrypted data 
from the second stream lurther comprises the 
step of reading the encrypted data from the sec- 
ond Java stream. 

16. The computer data signal ol Claim 13. wherein the 
communicatton channel is a Java secure channel, 

wheiein the first stream is a Java stream, 
wherein the second stream is a Java stream, 
wherein the computer sequence of instructions 
further includes instructions for connecting the 
Java secure channel to a third Java stream, and 
wherein the third Java stream provides for the 
transmission of data accordrng to a specific 
communication protocol. 

17. A method for providing communication protocol-in- 
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dependenl security lor data transrr,itted by a proc- 
S executing on « network node, the r^ethod com- 
prising the steps o1; 

a) establishing a stream between the process 

and a corrtmunicalion channel; 

b) encryptingdatatobetransmittedbytheproc- 

ess, the encrypting ot the data being .ndepend- 
ent 01 a communication protocol supported by 
the network node; . 
cYwritingthe encrypted data tothe stream, and 
d causing the encrypted data to be transrnj^d 
irom the network node to the commun.cat«n 
channel. j£ 

18 The method ot Claim 17, wherein the communica- 
■ ton channel IS a Java secure channel, 

wherein the stream is a lirst Java stream^ 
Wherein the step ol establishing a stream be- 
tween the process and «.e comm« 
channeMurthercompnsesthe step ol establish 

ing a Java stream between the process and the 
Java secure channel, and ,„h Haia 2S 

wherein the slop ol writing the encrypted data 
romestreamlurther comprises the stop olwrrt. 

ing the encrypted data to the Java stream. 

,c The method ol Claim 17, wherein the communica- 
Ion Channel IS a Java secure channel, whe-ein the ^ 

Stream is a Java stream, 

wherein the method lurther comPj)^^^^^^ 

ol connecting the Java secure channel to a sec 

ond Java stream, and 

Wherein the second Java stream provides o 
the transmission ot data according to a spec.t.c 
communication protocol. 
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(54) Layer-independent security for communication channels 



(57) A method and apparatus lor providing layer-in- 
dependent secure network communication is provided. 
According to an embodiment ol the invention, a trans- 
mission medium (206) is provided between a first net- 
work node (200) and a second network node (204). Both 
the first network node and the second network node 
support at least one common communication protocol. 
A Java output stream (21 B) is established between a 
first process (206) executing on the first network node 



and the transmission medium. Also, a Java input stream 
(220) is established between a second process (210) 
executing on the second mullilayered node and the 
transmission medium. Data to be transmitted from the 
first process to the second process is encrypted by the 
first process and written to the Java output stream. The 
data is transmitted to the second network node. Then 
the data is read irom the Java input stream by the sec- 
ond process and decrypted. 
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